wget: URL-decode user:password before base64-encoding it into auth hdr. Closes 3625.

function old new delta percent_decode_in_place - 152 +152 parse_url 304 317 +13 handle_incoming_and_exit 2795 2798 +3 httpd_main 763 760 -3 decodeString 152 - -152 ------------------------------------------------------------------------------ (add/remove: 2/1 grow/shrink: 2/1 up/down: 168/-155) Total: 13 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2011-09-11 21:04:02 +02:00
parent 5126cf9a15
commit dd1061b6a7
4 changed files with 86 additions and 81 deletions
--- a/networking/wget.c
+++ b/networking/wget.c
@ -298,8 +298,13 @@ static void parse_url(const char *src_url, struct host_info *h)

 	sp = strrchr(h->host, '@');
 	if (sp != NULL) {
-		h->user = h->host;
+		// URL-decode "user:password" string before base64-encoding:
+		// wget http://test:my%20pass@example.com should send
+		// Authorization: Basic dGVzdDpteSBwYXNz
+		// which decodes to "test:my pass".
+		// Standard wget and curl do this too.
 		*sp = '\0';
+		h->user = percent_decode_in_place(h->host, /*strict:*/ 0);
 		h->host = sp + 1;
 	}

@ -660,12 +665,6 @@ static void download_one_url(const char *url)

 #if ENABLE_FEATURE_WGET_AUTHENTICATION
 		if (target.user) {
-//TODO: URL-decode "user:password" string before base64-encoding:
-//wget http://test:my%20pass@example.com should send
-// Authorization: Basic dGVzdDpteSBwYXNz
-//which decodes to "test:my pass", instead of what we send now:
-// Authorization: Basic dGVzdDpteSUyMHBhc3M=
-//Can reuse decodeString() from httpd.c
 			fprintf(sfp, "Proxy-Authorization: Basic %s\r\n"+6,
 				base64enc(target.user));
 		}